- Pharmacy Management System: 1.0
- Vulnerability Type: Stored Cross-Site Scripting (XSS)
- Severity: HIGH
- Status: Unpatched
/php/manage_medicine.php?action=update&id=2&name=Crosin&packing=1&generic_name=Aaaaa32131&suppliers_name=aaa
A stored XSS vulnerability has been identified in the Pharmacy Management System version 1.0, specifically within the medicine update functionality. This vulnerability arises due to the absence of proper input sanitization in the suppliers_name
parameter. An attacker can inject malicious JavaScript code, which will be stored persistently in the database and executed every time the medicine record is accessed.
Since the payload is executed whenever an administrator or user views or interacts with the affected page, this vulnerability can result in severe consequences, including:
- Session hijacking
- Theft of sensitive data (e.g., cookies, session tokens)
- Privilege escalation (e.g., gaining unauthorized access)
- UI defacement or manipulation (leading to phishing attacks)
This persistent XSS attack can cause long-term damage by enabling attackers to alter page behavior, steal credentials, and manipulate critical pharmaceutical records.
Below is a sample malicious payload injected into the suppliers_name
parameter:
<script>alert('XSS');</script>
Once injected, the payload is stored in the system’s database. Each time the page displaying the medicine details is accessed, the script will trigger an alert, demonstrating the XSS. However, a more advanced attacker could use this technique to redirect users, exfiltrate sensitive data, or steal sessions.
GET /php/manage_medicine.php?action=update&id=2&name=Crosin&packing=1&generic_name=Aaaaa32131&suppliers_name=%3Cscript%3Ealert('XSS')%3C/script%3E HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.71 Safari/537.36
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=48068ce7875c00d88ca3aa2b9269b91f
Connection: keep-alive
After executing the above request, the malicious JavaScript will be embedded in the suppliers_name field. Any subsequent access to the affected page will trigger the XSS payload, showcasing the vulnerability.